Chapter 2

The Guide to Zero Trust Maturity Model

February 24, 2023

Zero trust (ZT) is a paradigm shift in network security, a new set of design principles that conceptually changes how modern networks are secured. Traditional network security relies upon implicit trust for resource access (that is, internal users are considered trustworthy) and focus on protecting the defined network perimeter. The zero trust architecture (ZTA) model was proposed based on the belief that the implicit trust model is flawed because it can benefit attackers by enabling uncontested lateral movement within the network post-compromise. 

The ZT design principles shift focus away from the network perimeter, taking a resource-centric approach to security. All data and systems are considered resources, with none implicitly trusted, regardless of privilege. All data traffic is considered hostile, and compromise is assumed unless there is explicit authorization.

Maturing a zero trust architecture is a journey that must be led from the top of an enterprise. ZT is neither a single product that can be installed nor a new technology. Zero trust deployment requires commitment, time, strong leadership, and a robust strategy. A ZTA may require a change in an enterprise’s cybersecurity culture to reach maturity, so senior leadership must fully support and provide resources to a ZT strategy to ensure success.

This article discusses some best practices to assist an enterprise in maturing a ZTA program. The focus will be on the Zero Trust Maturity model created by the Cybersecurity and Infrastructure Security Agency (CISA). The article suggests enterprise best practices to mature the seven pillars of ZT tenets using the NIST SP 800-207 tenets and assumptions.

Zero Trust Maturity Summary

A zero trust architecture is best visualized as seven pillars that are matured and integrated across an enterprise. The seven pillars discussed in this article are illustrated below.

Zero Trust Pillars

Optimal ZT maturity is achieved by evolving and integrating pillars through fourth maturity levels. Success is reliant upon the creation of a robust, long-term strategy fully supported by senior management at all stages.

  • Traditional Maturity Level: Traditional network architectures have large perimeters and are macro-segmented with little or no automation. An enterprise with this level of maturity has not started its zero trust journey.
  • Initial Maturity Level: This stage is marked by the initiation of automation necessary for assigning attributes and managing lifecycles, aiding in policy decision-making and enforcement. Includes introduction of cross-pillar solutions, laying the groundwork for more complex, interconnected systems in the future. Aggregated visibility for internal systems, offering an encompassing view of the security landscape, setting the stage for further development and fine-tuning.
  • Advanced Maturity Level: An advanced maturity level will see more cross-pillar integration, micro-segmentation, basic analytics, and automation successfully implemented. An enterprise will have achieved an elevated level of security but still lack the refinement of a fully mature ZT architecture.
  • Optimal Maturity Level: Optimal ZT maturity is the ultimate aim of an enterprise implementing a ZT solution. At this level of maturity, enhanced policy enforcement, centralized management, risk mitigation, and incident response will be in operation. An enterprise at this level of maturity will have fully achieved ZT.

The table below summarizes the pillars and related technologies as they advance from traditional networks through the four maturity levels to the optimal implementation.

Traditional Initial Advanced Optimal
Identity On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single-factor authentication (SFA) in most enterprises Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist. IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA Identities authenticated using MFA for initial access and then continually validated throughout the user’s session
Device Device compliance with limited visibility and manual asset management All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes Most devices have compliance enforcement mechanisms with automated methods employed to track assets Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments
Network Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized. Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted
Application Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users, Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies
Data Data at rest stored on-premises unencrypted, with inconsistent manual data categorization Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies. Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data All data at rest encrypted and data categorization enhanced by machine learning
Observability Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape. Most data and logs are inventoried, with manual analysis of aggregated user activity All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA).
Analytics and aAutomation The organization relies on manual administration of systems, networks, devices, and application environmental changes Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach. Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models
Next-Gen Mesh VPN Alternative
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable - no need to purchase hardware
Learn More
Next-Gen Mesh VPN Alternative
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More

Zero Trust Tenets and Assumptions

NIST SP 800-207 discusses seven tenets and six assumptions that regulate ZT resource access and data management. When an enterprise takes action to progress pillars, it must consider the tenets and assumptions. These tenets are idealistic and aspirational targets to be considered on the path to maturity. It is acknowledged that enterprise technologies, policies, and strategies will restrict and impact the extent to which tenets are applied. The tenets and assumptions are displayed below.

Tenets

  • All enterprise network utilities are considered resources
  • All communication is secured
  • Resources are accessed on a per-session basis
  • Resource access is determined by dynamic policies
  • Data integrity must be maintained at all times
  • Resources are rigorously authenticated and authorized continually
  • Enterprise data is collected to improve security

Assumptions

  • The enterprise network is not an implicit zone
  • Devices on the network may not be owned or configurable by the enterprise
  • No device is inherently trusted
  • Enterprise resources may reside on on-enterprise infrastructure
  • Remote enterprise resources will not fully trust their local network
  • Security will be maintained between enterprise and non-enterprise infrastructures

Zero Trust Tenets

  • All enterprise network entities are considered resources: All data, users, devices, and systems with access to the enterprise network are considered untrusted resources.
  • All communication is secured: Trust should never be implied regardless of resource privilege or location. All resources with access to the enterprise must be rigorously authenticated and authorized equally.
  • Resources are accessed on a per-session basis: The enterprise must enforce a policy of least privilege and grant resources with the minimum access needed to complete a task. Automatic access to additional resources is never granted unless explicitly authorized.
  • Dynamic policies determine resource access: Adaptive access policies based on context, including a user’s role, location, device, and requested data or service, are used to govern resource access.
  • System and data integrity must be maintained at all times: No asset is inherently trusted. The enterprise must monitor the integrity of all assets, including patch status and vulnerabilities.
  • Resources are rigorously and continuously authenticated and authorized: Trust must be verified and validated continuously. MFA must be used for most, if not all, resource access from users.
  • Enterprise data is collected to improve security: Data should be collected from multiple enterprise sources to give insight and context to improve security posture.

Zero Trust Assumptions

  • The enterprise network is not an implicit trust zone: All connections must be authenticated and traffic encrypted. Network compromise is to be always assumed.
  • Devices on the network might not be owned or configurable by the enterprise: Non-enterprise devices may be present on the enterprise network. Enterprises may employ bring-your-own-device (BYOD) policies, which may include device management software or the installation of anti-malware software.
  • No device is inherently trusted: Enterprises must evaluate all assets continually. Resource credentials alone are insufficient for authentication and authorization.
  • Enterprise resources may reside on non-enterprise infrastructure: Enterprise resources may need to access local networks for connectivity and network and cloud services.
  • Remote enterprise resources will only partially trust their local network connections: All non-enterprise networks are to be considered hostile. All access requests are continually authenticated and authorized.
  • Security will be maintained between enterprise and non-enterprise infrastructures: Resources and workloads will maintain a consistent security policy and posture when transiting to non-enterprise infrastructures.

Maturing the Zero Trust Pillars 

Identity Pillar

Identity is the new perimeter in a ZTA, with the Identity pillar critical to progressing maturity. A traditional network using single-factor authentication (SFA) only verifies that a subject is using authenticatable and authorized credentials. ZT applies context and enhances the authentication and authorization process, confirming that the correct subject has the precise attributes, authorization, and circumstances to access a resource by employing multi-factor authentication (MFA), one-time-passwords (OTP), or passkeys. Least privilege controls, including role-based access control (RBAC) mechanisms, are deployed to restrict a subject’s visibility and accessibility. The deployment of identity providers, including federated management, ensures that user identities will be managed consistently throughout the environment and enables the use of single sign-on (SSO) services to alleviate users from having to keep track of multiple credentials and to allow authentication to be centrally managed. 

Identity risks and insider threats are challenging to address in a traditional network. If a user does not report a credential compromise, the enterprise continues to implicitly trust that individual. Identity risks are addressed and insider threats are mitigated using user behavior analytics. User and entity behavior analytics (UEBA) evaluates a user’s typical behavior pattern. This method uses machine learning to analyze and identify deviations from established practices and alert security staff. UEBA monitors all resources in the enterprise for behavior changes, including servers, devices, and applications.

The table below details some Identity pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice Traditional Initial Advanced Optimal
Authentication On-premises identity management with SFA password policies Validation of identity through MFA, which could incorporate passwords as one element. Can include several characteristics such as the entity’s location or behavior patterns. More centralized identity management with SFA and MFA policies and some user attributes and context enforcement Centralized identity management integrated into applications and platforms; MFA policies enforced by user attributes, context, OTP, or passkeys
Identity storage On-premises identity providers A combination of self-managed identity stores and hosted identity stores. Some identities federated and on-premises that begin to be securely consolidated and integrated Global identity awareness across the enterprise and cloud
Risk Minimal identity risk taken into consideration Risk identified using manual methods and static rules Identity risk governed by static rules and analytics, but with some automated analysis and dynamic rules User behavior analyzed with support from real-time machine learning to determine and action risks
Monitoring User activity monitoring limited to static attributes Some activity monitored with automated processes User activity aggregated with static characteristics and manual analysis Centralized user activities monitored by dynamic policies; UEBA used to monitor user characteristics and attributes

Device Pillar

Traditional network security approaches do not consider the device when authorizing access to data because the primary consideration for data access is identity. As enterprises mature the Device pillar and employ policies such as BYOD, they will encounter challenges with device data access, compliance, and management.

Securing devices and endpoints in a perimeterless environment is foundational to ZT. Devices hosted in a ZTA will be subject to continual validation and activity monitoring, even if other resources trust the device on the network.  Endpoint security will mature as it moves from signature-based malware detection to advanced multi-layer endpoint protection that incorporates signed software, real-time threat intelligence, device management, and behavioral analysis. 

The table below details some Device pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice Traditional Initial Advanced Optimal
Compliance monitoring Limited visibility into device compliance A basic process is in place for self-reported device characteristics with limited enforcement mechanisms. Compliance enforced for most devices Compliance continuously monitored and validated
Data access Access to data typically not considered and dependent on the enterprise Some devices or virtual assets required to report characteristics before approving access Device security posture considered on first access to data Access to device data integrated with real-time device analytics
Asset management Device inventory tracked manually Tracking of all physical and some virtual assets Device vulnerabilities, patching, and management automated Asset, patch, and vulnerability management integrated across the enterprise, cloud, and remote locations
Endpoint security Signature-based antivirus able to detect known threats Some automated processes for deploying and updating threat protection to devices and virtual assets with limited policy enforcement Signature-based preventative endpoint detection and response (EDR) products, with some machine learning Integrated endpoint managed detection and response (MDR) integrated with the Security Operations Centre (SOC) and the use of machine learning

Network Pillar

Cloud-hosted applications, remote workers, and the possibility of rogue devices or malware on devices within the corporate network have dissolved the traditional network perimeter. ZT principles are designed to meet the security requirements of these modern perimeterless networks. Cross-pillar integration between the ZT Network and Identity pillars is vital to ensure secure access to network resources, with encryption deployed by default in the protection of data confidentiality and integrity. 

As an enterprise evolves its architecture toward micro-segmentation, it reduces its network attack surface. Furthermore, by limiting the lateral movement of an attack, an enterprise can better assure its regulatory compliance.

Software-defined networking (SDN) is a new networking paradigm that separates a network’s control plane from its data plane. It is a logical, dynamic, and programmable software approach to networking that enables administrators to take complete control and get a holistic view of an enterprise architecture. SDN programmability enables it to achieve true micro-segmentation by setting granular security policies that define perimeters and dictate resource communication. Unauthorized communication would be blocked and an alert triggered for investigation.

However, micro-segmentation is limited to the LAN and still gives attackers free rein within a segment, so the optimal form of secure networking is the zero trust network access (ZTNA) model. Under this model, a zero trust controller authenticates users through multi-factor authentication (MFA). The controller then checks the attributes of the user and the device requesting access, such as a certificate, as well as attributes like the device location. Finally, the controller matches the user with a list of applications based on access control policies and grants access. With ZTNA, compromised devices can be instantly blocked, and policies can be dynamically updated and applied device by device.

The table below details some Network pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice Traditional Initial Advanced Optimal
Architecture Macrosegmented perimeter based upon defense-in-depth “castle and moat” architecture Network architecture with isolation of critical workloads begins to be deployed, constraining connectivity to least function principles Network progressing toward ingress/egress microperimeters and microsegmentation Network architecture complies with zero trust network access (ZTNA) policy-based control of traffic between endpoints
Software-defined networking Physical, manually configured, on-premises network devices with fixed control and data planes SDN design attributes begin to be incorporated into network architecture Some SDN-controlled physical and virtual devices, with control and data plane decoupled Fully decoupled data and control planes; physical and virtual SDN-controlled network devices deployed across the enterprise
Security Static traffic filtering based upon known threats Network capabilities to manage availability demands and dynamic security requirements begin to be employed Basic security analytics to dynamically detect threats Integrated machine learning with context to proactively detect threats
Data-in-transit encryption Minimal internal or external data encryption All traffic to internal applications begins to be encrypted, while preferring encryption for traffic to external applications Encryption for all applicable internal and external traffic is ensured All internal and external data encrypted, if achievable

Application Pillar

Traditional remote access to applications uses an encrypted virtual private network (VPN). ZTNA changes how applications are accessed from inside and outside the office by removing the need for a VPN. Gartner predicts that by 2025, 70% of remote access will be served by ZTNA as opposed to VPNs. 

Application and network access is traditionally controlled by firewalls based on the message protocol, port, state, and source and destination addresses. Web application firewalls (WAFs) additionally protect applications from cross-site forgery, cross-site scripting (XSS), injection, and other Layer 7 attacks. A WAF acts as a reverse proxy that protects a server from exposure to clients attempting to access its resources. Policies govern a WAF’s operation and can be modified quickly and easily. A WAF’s response to a denial-of-service attack can be instantaneous by automatically applying a policy of rate-limiting and blocking an IP source that is sending an abusive number of packet requests.

ZTNA application access is determined by user identity, location, device security posture, and other attributes that contribute to the authorization for application access. First, a user connects and is redirected to authenticate using MFA through the organization’s identity provider and single sign-on (SSO) service. The ZT policy engine applies the security policy, and real-time user and device attributes are verified before access to an application is granted. 

The table below details some Application pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice Traditional Initial Advanced Optimal
Authorization Authorization to access applications typically localized on-premises and established upon static attributes with no context Authorizing access capabilities to applications that incorporate contextual information per request begins to be implemented. Increased reliance upon centralized authentication and authorization Authorization verified and continually validated, with real-time risk analytics and context taken into consideration
Security Traffic controlled using a traditional firewall based on port, destination, and source address Static and dynamic testing methods are used to perform security testing prior to application deployment Traffic controlled using a stateful firewall to track and monitor the state of active network communications Traffic controlled using web application firewalls to additionally block application layer attacks via automation and dynamic policies
Threat protection Minimal integration between application workflows and threat protection systems, restricted to detecting generally known threats Threat protections are integrated into mission-critical application workflows, delivering protection against known and application-specific threats Essential integration between application workflows and threat protection systems, with a focus on generally known threats and some application-specific protection Full integration between application workflow and threat protection systems; application analytics collated and used to analyze application behaviors
Accessibility Access to some applications hosted by cloud, accessible via the internet, with others accessible via VPN Some applicable mission critical applications are made available over open public networks to authorized users Access to applications hosted on-premises via VPN, with all cloud applications accessible via the internet Access to all applications via the internet

Data Pillar

Integration of the data pillar  is essential to achieve optimal ZT maturity. All data at rest, regardless of where it resides, is encrypted under optimal ZT maturity. Labeling, categorization, and inventory of data is critical to its security. Traditional environments conduct data categorization and inventorying manually, which leads to inconsistency that impedes automation. Machine learning ensures that the same categorization and inventorying standard is attained across the enterprise.

The least privilege principle across a ZTA enforces data access by only assigning the privileges necessary to perform specific duties and no more. Least privilege access is supplemented by just-in-time, just-enough principles that provide deeper granular access to resources.

The table below details some Data pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice Traditional Initial Advanced Optimal
Data-at-rest encryption Data primarily stored on-premises and typically unencrypted Data at rest is encrypted where feasible, including both on-premises and cloud environments Data encrypted and stored in remote or cloud environments All data at rest encrypted
Inventory Management Poor data inventory due to manual and inconsistent categorization Data inventory processes begin to be automated for both on-premises and cloud environments, thus beginning to incorporate protections against data loss Data categorization using both manual and static analysis methods, with some automated tracking Data tagged and tracked for continuous data inventorying, augmented with machine learning
Access Static controls governing data access Some automated data access controls begin to be deployed incorporating elements of least privilege across the network Data governed by least privilege access controls, risk, and other attributes Dynamic data access supporting just-in-time and just-enough principles, informed by real-time, risk-based attributes
Protection Manual data discovery and classification, with network and endpoint security blocking known threats Data discovery and classification begin to be automated Limited automated data discovery and classification technology employed Fully automated data discovery and classification, supported by dynamic data loss prevention technologies and integrated with real-time analytics

Observability Pillar

ZT Observability measures enterprise systems’ internal states by analyzing data outputs. Log analysis and resource data are collected and analyzed to produce a baseline of an enterprise network. Deviation from baseline will alert an organization’s security or I.T. staff to investigate.

The table below details some Observability pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best Practice Traditional Initial Advanced Optimal
Device visibility Manual label inspections and network discovery and reporting Initial device visibility capabilities are implemented, beginning to automate the creation of device lists Authorized lists of devices resolved against inventories, with noncompliant devices isolated manually Endpoint detection and response (EDR) systems continually inspecting and reporting on device security postures
Network visibility Perimeter visibility with centralized log analysis Automation of log and event collection begins to be implemented Integrated enterprise log analysis with manual triggers and alerts Integrated enterprise log analysis with automated triggers and alerts
Application visibility Security and health monitoring of applications performed in isolation, away from enterprise security sensors Monitoring of applications is undertaken, gradually integrating and harmonizing with selected enterprise sensors, marking a transition from isolated monitoring to a more interconnected approach Security and health monitoring of applications performed, with some enterprise security sensors Enterprise sensors integrated with application security and health monitoring with continuous and dynamic monitoring
Data visibility Visibility impacted by limited analytics and data inventories Data inventories start to expand and basic analytics are applied, marking a developmental phase between limited analytics and comprehensive data accountability Data mainly inventoried and accountable, with analytics limited to unencrypted data Data fully accounted for and inventoried; all access events and suspicious events logged and analyzed, with analytics possible on encrypted data

Automation Pillar

The weakest link in security is the human. As a ZTA implementation matures, more automation will be introduced, reducing human error. Automation will benefit data discovery because when high-value data is identified and categorized, it can better conform with enterprise data life cycles.

The table below details some Automation pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best Practice Traditional Initial Advanced Optimal
Device provisioning Devices have static capacity allocation and are manually provisioned Devices begin to be provisioned using automated processes Devices have policy-driven distributions and can be scaled and provisioned using automated processes Devices can be dynamically scaled and deployed using infrastructure as code along with continuous integration / continuous deployment (CI/CD) principles
Network automation Network changes and workflows manually planned and executed Planning and execution of network changes and workflows begin to adopt some level of automation, facilitating the transition from purely manual operations to an environment where manual and automated processes coexist Network changes and workflows automated Network configured by infrastructure as code, with pervasive automation
Application hosting locations Application hosting locations manually assigned by enterprise administrators Hosting locations are primarily manually assigned, a transition towards applications gradually gaining awareness of their location and state begins, setting the stage for dynamic communication of changes in their state. Applications are aware of their location and can communicate their changing state Applications adapt to ongoing enterprise environmental changes automatically for security and performance optimization
High-value data discovery Some data management automated, with much automation impeded by inconsistent categorization and labeling A blend of automated data management and manual audits is employed to identify and safeguard high-value data Manual audits commissioned to locate high-value data and assess access controls, with limited automation to apply to controls and backups High-value data access controls enforced automatically and always backed up with automated inventorying

Summary

Maturing zero trust is a journey and a challenge that requires a robust strategy for success. The seven pillars of ZT can evolve at different rates, but to attain optimal ZT, they must integrate. The seven tenets that regulate the pillars must be consulted before maturity decisions are made to conform. As an enterprise matures the pillars, it will reduce its attack surface, obtain better visibility of its network, and become more automated.

Next-Gen Mesh VPN Alternative
Learn More
Attribute
Traditional VPN
ZTMesh
Blameless
Multiple consoles 
Centralized administration 
Encryption
VPN links using outdated algorithms
Multiple consoles 
Breach containment
Attackers free once inside
Every session is authenticated
Total cost of ownership
Individual deployed hardware units
No capital expenditure and scalable
Learn More
Next-Gen Mesh VPN Alternative
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More
Next-Gen Mesh VPN Alternative
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable – no need to purchase costly hardware
Learn More
Next-Gen Mesh VPN Alternative
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More
Subscribe to our LinkedIn Newsletter to receive more educational content
Subscribe now
Subscribe to our Linkedin Newsletter to receive more educational content
Subscribe now